diff --git a/src/wh_auth.c b/src/wh_auth.c
new file mode 100644
index 00000000..6cb2905f
--- /dev/null
+++ b/src/wh_auth.c
@@ -0,0 +1,202 @@
+/*
+ * Copyright (C) 2025 wolfSSL Inc.
+ *
+ * This file is part of wolfHSM.
+ *
+ * wolfHSM is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfHSM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with wolfHSM. If not, see .
+ */
+
+/*
+ * src/wh_auth.c
+ *
+ * Core Auth Manager implementation. Provides wrapper functions that delegate
+ * to the configured auth backend callbacks.
+ *
+ * - Verifies PINs/credentials
+ * - Manages sessions
+ * - Authorization decisions
+ * - Session state tracking and logging
+ *
+ * The Auth Manager is agnostic to the transport used and manages authentication
+ * of a session. It can take a PIN or certificate for verification and logs
+ * all login attempts along with actions done by logged in users. An
+ * authenticated session is separate from a comm connection and sits on top of
+ * a comm connection. Allowing for multiple authenticated sessions opened and
+ * closed multiple times through out the span of a single comm connection
+ * established.
+ */
+
+/* Pick up compile-time configuration */
+#include "wolfhsm/wh_settings.h"
+
+#include
+#include /* For NULL */
+#include /* For memset, memcpy */
+
+#include "wolfhsm/wh_common.h"
+#include "wolfhsm/wh_error.h"
+
+#include "wolfhsm/wh_auth.h"
+
+
+int wh_Auth_Init(whAuthContext* context, const whAuthConfig *config)
+{
+ /* TODO: Initialize auth manager context */
+ (void)context;
+ (void)config;
+ return WH_ERROR_NOTIMPL;
+}
+
+int wh_Auth_Cleanup(whAuthContext* context)
+{
+ /* TODO: Cleanup auth manager context */
+ (void)context;
+ return WH_ERROR_NOTIMPL;
+}
+
+int wh_Auth_Authenticate(whAuthContext* context, uint8_t client_id,
+ whAuthMethod method, const void* auth_data,
+ uint16_t auth_data_len,
+ whUserId* out_user_id, whSessionId* out_session_id,
+ whAuthPermissions* out_permissions)
+{
+ /* TODO: Authenticate user using specified method */
+ (void)context;
+ (void)client_id;
+ (void)method;
+ (void)auth_data;
+ (void)auth_data_len;
+ (void)out_user_id;
+ (void)out_session_id;
+ (void)out_permissions;
+ return WH_ERROR_NOTIMPL;
+}
+
+int wh_Auth_SessionCreate(whAuthContext* context, whUserId user_id,
+ uint8_t client_id, whAuthPermissions permissions,
+ whSessionId* out_session_id)
+{
+ /* TODO: Create new session for authenticated user */
+ (void)context;
+ (void)user_id;
+ (void)client_id;
+ (void)permissions;
+ (void)out_session_id;
+ return WH_ERROR_NOTIMPL;
+}
+
+int wh_Auth_SessionDestroy(whAuthContext* context, whSessionId session_id)
+{
+ /* TODO: Destroy session */
+ (void)context;
+ (void)session_id;
+ return WH_ERROR_NOTIMPL;
+}
+
+int wh_Auth_SessionGet(whAuthContext* context, whSessionId session_id,
+ whAuthSession* out_session)
+{
+ /* TODO: Get session information */
+ (void)context;
+ (void)session_id;
+ (void)out_session;
+ return WH_ERROR_NOTIMPL;
+}
+
+int wh_Auth_CheckAuthorization(whAuthContext* context, uint8_t client_id,
+ uint16_t group, uint16_t action)
+{
+ /* TODO: Check if action is authorized for client */
+
+ printf("In authorization check: Client ID: %d, Group: %d, Action: %d\n",
+ client_id, group, action);
+ (void)context;
+ return WH_ERROR_OK;
+}
+
+int wh_Auth_UserAdd(whAuthContext* context, const char* username,
+ whUserId* out_user_id, whAuthPermissions permissions)
+{
+ /* TODO: Add new user */
+ (void)context;
+ (void)username;
+ (void)out_user_id;
+ (void)permissions;
+ return WH_ERROR_NOTIMPL;
+}
+
+int wh_Auth_UserDelete(whAuthContext* context, whUserId user_id)
+{
+ /* TODO: Delete user */
+ (void)context;
+ (void)user_id;
+ return WH_ERROR_NOTIMPL;
+}
+
+int wh_Auth_UserSetPermissions(whAuthContext* context, whUserId user_id,
+ whAuthPermissions permissions)
+{
+ /* TODO: Set user permissions */
+ (void)context;
+ (void)user_id;
+ (void)permissions;
+ return WH_ERROR_NOTIMPL;
+}
+
+int wh_Auth_UserGet(whAuthContext* context, whUserId user_id,
+ whAuthUser* out_user)
+{
+ /* TODO: Get user information */
+ (void)context;
+ (void)user_id;
+ (void)out_user;
+ return WH_ERROR_NOTIMPL;
+}
+
+int wh_Auth_UserSetCredentials(whAuthContext* context, whUserId user_id,
+ whAuthMethod method, const void* credentials,
+ uint16_t credentials_len)
+{
+ /* TODO: Set user credentials */
+ (void)context;
+ (void)user_id;
+ (void)method;
+ (void)credentials;
+ (void)credentials_len;
+ return WH_ERROR_NOTIMPL;
+}
+
+int wh_Auth_SessionStatus(whAuthContext* context, uint8_t client_id,
+ uint32_t* out_active_sessions,
+ whSessionId* out_session_list, uint16_t max_sessions)
+{
+ /* TODO: Get session status for client */
+ (void)context;
+ (void)client_id;
+ (void)out_active_sessions;
+ (void)out_session_list;
+ (void)max_sessions;
+ return WH_ERROR_NOTIMPL;
+}
+
+int wh_Auth_CommonCallback(void* auth_context, whSessionId session_id,
+ whAuthAction action, uint32_t object_id)
+{
+ /* TODO: Common callback for authorization checks throughout wolfHSM */
+ (void)auth_context;
+ (void)session_id;
+ (void)action;
+ (void)object_id;
+ return WH_ERROR_NOTIMPL;
+}
diff --git a/src/wh_client_auth.c b/src/wh_client_auth.c
new file mode 100644
index 00000000..58df1c34
--- /dev/null
+++ b/src/wh_client_auth.c
@@ -0,0 +1,470 @@
+/*
+ * Copyright (C) 2025 wolfSSL Inc.
+ *
+ * This file is part of wolfHSM.
+ *
+ * wolfHSM is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfHSM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with wolfHSM. If not, see .
+ */
+/*
+ * src/wh_client_auth.c
+ *
+ * Client-side Auth Manager API
+ */
+
+/* Pick up compile-time configuration */
+#include "wolfhsm/wh_settings.h"
+
+#ifdef WOLFHSM_CFG_ENABLE_CLIENT
+
+/* System libraries */
+#include /* For memcpy, strncpy */
+
+/* Common WolfHSM types and defines shared with the server */
+#include "wolfhsm/wh_common.h"
+#include "wolfhsm/wh_error.h"
+#include "wolfhsm/wh_comm.h"
+
+#include "wolfhsm/wh_message.h"
+#include "wolfhsm/wh_message_auth.h"
+
+#include "wolfhsm/wh_client.h"
+#include "wolfhsm/wh_auth.h"
+
+/** Authenticate */
+int wh_Client_AuthAuthenticateRequest(whClientContext* c,
+ whAuthMethod method, const void* auth_data, uint16_t auth_data_len)
+{
+ /* TODO: Send authenticate request (non-blocking).
+ * Builds and sends the authentication request message. Returns immediately.
+ * May return WH_ERROR_NOTREADY if send buffer is busy. */
+ (void)c;
+ (void)method;
+ (void)auth_data;
+ (void)auth_data_len;
+ return WH_ERROR_NOTIMPL;
+}
+
+int wh_Client_AuthAuthenticateResponse(whClientContext* c, int32_t *out_rc,
+ whUserId* out_user_id, whSessionId* out_session_id,
+ whAuthPermissions* out_permissions)
+{
+ /* TODO: Receive authenticate response (non-blocking).
+ * Polls for and processes the authentication response. Returns immediately.
+ * Returns WH_ERROR_NOTREADY if response not yet available. */
+ (void)c;
+ (void)out_rc;
+ (void)out_user_id;
+ (void)out_session_id;
+ (void)out_permissions;
+ return WH_ERROR_NOTIMPL;
+}
+
+int wh_Client_AuthAuthenticate(whClientContext* c, whAuthMethod method,
+ const void* auth_data, uint16_t auth_data_len,
+ int32_t* out_rc, whUserId* out_user_id, whSessionId* out_session_id,
+ whAuthPermissions* out_permissions)
+{
+ /* TODO: Authenticate (blocking convenience wrapper).
+ * Calls Request, then loops on Response until complete. Blocks until
+ * authentication succeeds or fails. */
+ (void)c;
+ (void)method;
+ (void)auth_data;
+ (void)auth_data_len;
+ (void)out_rc;
+ (void)out_user_id;
+ (void)out_session_id;
+ (void)out_permissions;
+ return WH_ERROR_NOTIMPL;
+}
+
+/** Session Create */
+int wh_Client_AuthSessionCreateRequest(whClientContext* c,
+ whUserId user_id, whAuthPermissions permissions)
+{
+ /* TODO: Send session create request (non-blocking).
+ * Builds and sends the session create request message. Returns immediately.
+ * May return WH_ERROR_NOTREADY if send buffer is busy. */
+ (void)c;
+ (void)user_id;
+ (void)permissions;
+ return WH_ERROR_NOTIMPL;
+}
+
+int wh_Client_AuthSessionCreateResponse(whClientContext* c, int32_t *out_rc,
+ whSessionId* out_session_id)
+{
+ /* TODO: Receive session create response (non-blocking).
+ * Polls for and processes the session create response. Returns immediately.
+ * Returns WH_ERROR_NOTREADY if response not yet available. */
+ (void)c;
+ (void)out_rc;
+ (void)out_session_id;
+ return WH_ERROR_NOTIMPL;
+}
+
+int wh_Client_AuthSessionCreate(whClientContext* c, whUserId user_id,
+ whAuthPermissions permissions, int32_t* out_rc,
+ whSessionId* out_session_id)
+{
+ /* TODO: Create session (blocking convenience wrapper).
+ * Calls Request, then loops on Response until complete. Blocks until
+ * session is created or operation fails. */
+ (void)c;
+ (void)user_id;
+ (void)permissions;
+ (void)out_rc;
+ (void)out_session_id;
+ return WH_ERROR_NOTIMPL;
+}
+
+/** Session Destroy */
+int wh_Client_AuthSessionDestroyRequest(whClientContext* c,
+ whSessionId session_id)
+{
+ /* TODO: Send session destroy request (non-blocking).
+ * Builds and sends the session destroy request message. Returns immediately.
+ * May return WH_ERROR_NOTREADY if send buffer is busy. */
+ (void)c;
+ (void)session_id;
+ return WH_ERROR_NOTIMPL;
+}
+
+int wh_Client_AuthSessionDestroyResponse(whClientContext* c, int32_t *out_rc)
+{
+ /* TODO: Receive session destroy response (non-blocking).
+ * Polls for and processes the session destroy response. Returns immediately.
+ * Returns WH_ERROR_NOTREADY if response not yet available. */
+ (void)c;
+ (void)out_rc;
+ return WH_ERROR_NOTIMPL;
+}
+
+int wh_Client_AuthSessionDestroy(whClientContext* c, whSessionId session_id,
+ int32_t* out_rc)
+{
+ /* TODO: Destroy session (blocking convenience wrapper).
+ * Calls Request, then loops on Response until complete. Blocks until
+ * session is destroyed or operation fails. */
+ (void)c;
+ (void)session_id;
+ (void)out_rc;
+ return WH_ERROR_NOTIMPL;
+}
+
+/** Session Get */
+int wh_Client_AuthSessionGetRequest(whClientContext* c, whSessionId session_id)
+{
+ /* TODO: Send session get request (non-blocking).
+ * Builds and sends the session get request message. Returns immediately.
+ * May return WH_ERROR_NOTREADY if send buffer is busy. */
+ (void)c;
+ (void)session_id;
+ return WH_ERROR_NOTIMPL;
+}
+
+int wh_Client_AuthSessionGetResponse(whClientContext* c, int32_t *out_rc,
+ whAuthSession* out_session)
+{
+ /* TODO: Receive session get response (non-blocking).
+ * Polls for and processes the session get response. Returns immediately.
+ * Returns WH_ERROR_NOTREADY if response not yet available. */
+ (void)c;
+ (void)out_rc;
+ (void)out_session;
+ return WH_ERROR_NOTIMPL;
+}
+
+int wh_Client_AuthSessionGet(whClientContext* c, whSessionId session_id,
+ int32_t* out_rc, whAuthSession* out_session)
+{
+ /* TODO: Get session (blocking convenience wrapper).
+ * Calls Request, then loops on Response until complete. Blocks until
+ * session information is retrieved or operation fails. */
+ (void)c;
+ (void)session_id;
+ (void)out_rc;
+ (void)out_session;
+ return WH_ERROR_NOTIMPL;
+}
+
+/** Session Status */
+int wh_Client_AuthSessionStatusRequest(whClientContext* c)
+{
+ /* TODO: Send session status request (non-blocking).
+ * Builds and sends the session status request message. Returns immediately.
+ * May return WH_ERROR_NOTREADY if send buffer is busy. */
+ (void)c;
+ return WH_ERROR_NOTIMPL;
+}
+
+int wh_Client_AuthSessionStatusResponse(whClientContext* c, int32_t *out_rc,
+ uint32_t* out_active_sessions,
+ whSessionId* out_session_list, uint16_t max_sessions)
+{
+ /* TODO: Receive session status response (non-blocking).
+ * Polls for and processes the session status response. Returns immediately.
+ * Returns WH_ERROR_NOTREADY if response not yet available. */
+ (void)c;
+ (void)out_rc;
+ (void)out_active_sessions;
+ (void)out_session_list;
+ (void)max_sessions;
+ return WH_ERROR_NOTIMPL;
+}
+
+int wh_Client_AuthSessionStatus(whClientContext* c, int32_t* out_rc,
+ uint32_t* out_active_sessions,
+ whSessionId* out_session_list, uint16_t max_sessions)
+{
+ /* TODO: Get session status (blocking convenience wrapper).
+ * Calls Request, then loops on Response until complete. Blocks until
+ * session status is retrieved or operation fails. */
+ (void)c;
+ (void)out_rc;
+ (void)out_active_sessions;
+ (void)out_session_list;
+ (void)max_sessions;
+ return WH_ERROR_NOTIMPL;
+}
+
+/** User Add */
+int wh_Client_AuthUserAddRequest(whClientContext* c, const char* username,
+ whAuthPermissions permissions)
+{
+ /* TODO: Send user add request (non-blocking).
+ * Builds and sends the user add request message. Returns immediately.
+ * May return WH_ERROR_NOTREADY if send buffer is busy. */
+ (void)c;
+ (void)username;
+ (void)permissions;
+ return WH_ERROR_NOTIMPL;
+}
+
+int wh_Client_AuthUserAddResponse(whClientContext* c, int32_t *out_rc,
+ whUserId* out_user_id)
+{
+ /* TODO: Receive user add response (non-blocking).
+ * Polls for and processes the user add response. Returns immediately.
+ * Returns WH_ERROR_NOTREADY if response not yet available. */
+ (void)c;
+ (void)out_rc;
+ (void)out_user_id;
+ return WH_ERROR_NOTIMPL;
+}
+
+int wh_Client_AuthUserAdd(whClientContext* c, const char* username,
+ whAuthPermissions permissions, int32_t* out_rc, whUserId* out_user_id)
+{
+ /* TODO: Add user (blocking convenience wrapper).
+ * Calls Request, then loops on Response until complete. Blocks until
+ * user is added or operation fails. */
+ (void)c;
+ (void)username;
+ (void)permissions;
+ (void)out_rc;
+ (void)out_user_id;
+ return WH_ERROR_NOTIMPL;
+}
+
+/** User Delete */
+int wh_Client_AuthUserDeleteRequest(whClientContext* c, whUserId user_id)
+{
+ /* TODO: Send user delete request (non-blocking).
+ * Builds and sends the user delete request message. Returns immediately.
+ * May return WH_ERROR_NOTREADY if send buffer is busy. */
+ (void)c;
+ (void)user_id;
+ return WH_ERROR_NOTIMPL;
+}
+
+int wh_Client_AuthUserDeleteResponse(whClientContext* c, int32_t *out_rc)
+{
+ /* TODO: Receive user delete response (non-blocking).
+ * Polls for and processes the user delete response. Returns immediately.
+ * Returns WH_ERROR_NOTREADY if response not yet available. */
+ (void)c;
+ (void)out_rc;
+ return WH_ERROR_NOTIMPL;
+}
+
+int wh_Client_AuthUserDelete(whClientContext* c, whUserId user_id,
+ int32_t* out_rc)
+{
+ /* TODO: Delete user (blocking convenience wrapper).
+ * Calls Request, then loops on Response until complete. Blocks until
+ * user is deleted or operation fails. */
+ (void)c;
+ (void)user_id;
+ (void)out_rc;
+ return WH_ERROR_NOTIMPL;
+}
+
+/** User Get */
+int wh_Client_AuthUserGetRequest(whClientContext* c, whUserId user_id)
+{
+ /* TODO: Send user get request (non-blocking).
+ * Builds and sends the user get request message. Returns immediately.
+ * May return WH_ERROR_NOTREADY if send buffer is busy. */
+ (void)c;
+ (void)user_id;
+ return WH_ERROR_NOTIMPL;
+}
+
+int wh_Client_AuthUserGetResponse(whClientContext* c, int32_t *out_rc,
+ whAuthUser* out_user)
+{
+ /* TODO: Receive user get response (non-blocking).
+ * Polls for and processes the user get response. Returns immediately.
+ * Returns WH_ERROR_NOTREADY if response not yet available. */
+ (void)c;
+ (void)out_rc;
+ (void)out_user;
+ return WH_ERROR_NOTIMPL;
+}
+
+int wh_Client_AuthUserGet(whClientContext* c, whUserId user_id,
+ int32_t* out_rc, whAuthUser* out_user)
+{
+ /* TODO: Get user (blocking convenience wrapper).
+ * Calls Request, then loops on Response until complete. Blocks until
+ * user information is retrieved or operation fails. */
+ (void)c;
+ (void)user_id;
+ (void)out_rc;
+ (void)out_user;
+ return WH_ERROR_NOTIMPL;
+}
+
+/** User Set Permissions */
+int wh_Client_AuthUserSetPermissionsRequest(whClientContext* c,
+ whUserId user_id, whAuthPermissions permissions)
+{
+ /* TODO: Send user set permissions request (non-blocking).
+ * Builds and sends the user set permissions request message. Returns immediately.
+ * May return WH_ERROR_NOTREADY if send buffer is busy. */
+ (void)c;
+ (void)user_id;
+ (void)permissions;
+ return WH_ERROR_NOTIMPL;
+}
+
+int wh_Client_AuthUserSetPermissionsResponse(whClientContext* c, int32_t *out_rc)
+{
+ /* TODO: Receive user set permissions response (non-blocking).
+ * Polls for and processes the user set permissions response. Returns immediately.
+ * Returns WH_ERROR_NOTREADY if response not yet available. */
+ (void)c;
+ (void)out_rc;
+ return WH_ERROR_NOTIMPL;
+}
+
+int wh_Client_AuthUserSetPermissions(whClientContext* c, whUserId user_id,
+ whAuthPermissions permissions, int32_t* out_rc)
+{
+ /* TODO: Set user permissions (blocking convenience wrapper).
+ * Calls Request, then loops on Response until complete. Blocks until
+ * permissions are set or operation fails. */
+ (void)c;
+ (void)user_id;
+ (void)permissions;
+ (void)out_rc;
+ return WH_ERROR_NOTIMPL;
+}
+
+/** User Set Credentials */
+int wh_Client_AuthUserSetCredentialsRequest(whClientContext* c,
+ whUserId user_id, whAuthMethod method, const void* credentials,
+ uint16_t credentials_len)
+{
+ /* TODO: Send user set credentials request (non-blocking).
+ * Builds and sends the user set credentials request message. Returns immediately.
+ * May return WH_ERROR_NOTREADY if send buffer is busy. */
+ (void)c;
+ (void)user_id;
+ (void)method;
+ (void)credentials;
+ (void)credentials_len;
+ return WH_ERROR_NOTIMPL;
+}
+
+int wh_Client_AuthUserSetCredentialsResponse(whClientContext* c, int32_t *out_rc)
+{
+ /* TODO: Receive user set credentials response (non-blocking).
+ * Polls for and processes the user set credentials response. Returns immediately.
+ * Returns WH_ERROR_NOTREADY if response not yet available. */
+ (void)c;
+ (void)out_rc;
+ return WH_ERROR_NOTIMPL;
+}
+
+int wh_Client_AuthUserSetCredentials(whClientContext* c, whUserId user_id,
+ whAuthMethod method, const void* credentials, uint16_t credentials_len,
+ int32_t* out_rc)
+{
+ /* TODO: Set user credentials (blocking convenience wrapper).
+ * Calls Request, then loops on Response until complete. Blocks until
+ * credentials are set or operation fails. */
+ (void)c;
+ (void)user_id;
+ (void)method;
+ (void)credentials;
+ (void)credentials_len;
+ (void)out_rc;
+ return WH_ERROR_NOTIMPL;
+}
+
+/** Check Authorization */
+int wh_Client_AuthCheckAuthorizationRequest(whClientContext* c,
+ whSessionId session_id, whAuthAction action, uint32_t object_id)
+{
+ /* TODO: Send check authorization request (non-blocking).
+ * Builds and sends the check authorization request message. Returns immediately.
+ * May return WH_ERROR_NOTREADY if send buffer is busy. */
+ (void)c;
+ (void)session_id;
+ (void)action;
+ (void)object_id;
+ return WH_ERROR_NOTIMPL;
+}
+
+int wh_Client_AuthCheckAuthorizationResponse(whClientContext* c, int32_t *out_rc,
+ bool* out_authorized)
+{
+ /* TODO: Receive check authorization response (non-blocking).
+ * Polls for and processes the check authorization response. Returns immediately.
+ * Returns WH_ERROR_NOTREADY if response not yet available. */
+ (void)c;
+ (void)out_rc;
+ (void)out_authorized;
+ return WH_ERROR_NOTIMPL;
+}
+
+int wh_Client_AuthCheckAuthorization(whClientContext* c,
+ whSessionId session_id, whAuthAction action, uint32_t object_id,
+ int32_t* out_rc, bool* out_authorized)
+{
+ /* TODO: Check authorization (blocking convenience wrapper).
+ * Calls Request, then loops on Response until complete. Blocks until
+ * authorization check completes or operation fails. */
+ (void)c;
+ (void)session_id;
+ (void)action;
+ (void)object_id;
+ (void)out_rc;
+ (void)out_authorized;
+ return WH_ERROR_NOTIMPL;
+}
+
+#endif /* WOLFHSM_CFG_ENABLE_CLIENT */
diff --git a/src/wh_message_auth.c b/src/wh_message_auth.c
new file mode 100644
index 00000000..38254a56
--- /dev/null
+++ b/src/wh_message_auth.c
@@ -0,0 +1,234 @@
+/*
+ * Copyright (C) 2025 wolfSSL Inc.
+ *
+ * This file is part of wolfHSM.
+ *
+ * wolfHSM is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfHSM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with wolfHSM. If not, see .
+ */
+/*
+ * src/wh_message_auth.c
+ *
+ * Message translation functions for Auth Manager messages
+ */
+
+/* Pick up compile-time configuration */
+#include "wolfhsm/wh_settings.h"
+
+#include
+#include
+
+#include "wolfhsm/wh_error.h"
+#include "wolfhsm/wh_comm.h"
+#include "wolfhsm/wh_message.h"
+
+#include "wolfhsm/wh_message_auth.h"
+
+
+int wh_MessageAuth_TranslateSimpleResponse(uint16_t magic,
+ const whMessageAuth_SimpleResponse* src,
+ whMessageAuth_SimpleResponse* dest)
+{
+ /* TODO: Translate simple response message */
+ (void)magic;
+ (void)src;
+ (void)dest;
+ return 0;
+}
+
+int wh_MessageAuth_TranslateAuthenticateRequest(uint16_t magic,
+ const whMessageAuth_AuthenticateRequest* src,
+ whMessageAuth_AuthenticateRequest* dest)
+{
+ /* TODO: Translate authenticate request message */
+ (void)magic;
+ (void)src;
+ (void)dest;
+ return 0;
+}
+
+int wh_MessageAuth_TranslateAuthenticateResponse(uint16_t magic,
+ const whMessageAuth_AuthenticateResponse* src,
+ whMessageAuth_AuthenticateResponse* dest)
+{
+ /* TODO: Translate authenticate response message */
+ (void)magic;
+ (void)src;
+ (void)dest;
+ return 0;
+}
+
+int wh_MessageAuth_TranslateSessionCreateRequest(uint16_t magic,
+ const whMessageAuth_SessionCreateRequest* src,
+ whMessageAuth_SessionCreateRequest* dest)
+{
+ /* TODO: Translate session create request message */
+ (void)magic;
+ (void)src;
+ (void)dest;
+ return 0;
+}
+
+int wh_MessageAuth_TranslateSessionCreateResponse(uint16_t magic,
+ const whMessageAuth_SessionCreateResponse* src,
+ whMessageAuth_SessionCreateResponse* dest)
+{
+ /* TODO: Translate session create response message */
+ (void)magic;
+ (void)src;
+ (void)dest;
+ return 0;
+}
+
+int wh_MessageAuth_TranslateSessionDestroyRequest(uint16_t magic,
+ const whMessageAuth_SessionDestroyRequest* src,
+ whMessageAuth_SessionDestroyRequest* dest)
+{
+ /* TODO: Translate session destroy request message */
+ (void)magic;
+ (void)src;
+ (void)dest;
+ return 0;
+}
+
+int wh_MessageAuth_TranslateSessionGetRequest(uint16_t magic,
+ const whMessageAuth_SessionGetRequest* src,
+ whMessageAuth_SessionGetRequest* dest)
+{
+ /* TODO: Translate session get request message */
+ (void)magic;
+ (void)src;
+ (void)dest;
+ return 0;
+}
+
+int wh_MessageAuth_TranslateSessionGetResponse(uint16_t magic,
+ const whMessageAuth_SessionGetResponse* src,
+ whMessageAuth_SessionGetResponse* dest)
+{
+ /* TODO: Translate session get response message */
+ (void)magic;
+ (void)src;
+ (void)dest;
+ return 0;
+}
+
+int wh_MessageAuth_TranslateSessionStatusResponse(uint16_t magic,
+ const whMessageAuth_SessionStatusResponse* src,
+ whMessageAuth_SessionStatusResponse* dest)
+{
+ /* TODO: Translate session status response message */
+ (void)magic;
+ (void)src;
+ (void)dest;
+ return 0;
+}
+
+int wh_MessageAuth_TranslateUserAddRequest(uint16_t magic,
+ const whMessageAuth_UserAddRequest* src,
+ whMessageAuth_UserAddRequest* dest)
+{
+ /* TODO: Translate user add request message */
+ (void)magic;
+ (void)src;
+ (void)dest;
+ return 0;
+}
+
+int wh_MessageAuth_TranslateUserAddResponse(uint16_t magic,
+ const whMessageAuth_UserAddResponse* src,
+ whMessageAuth_UserAddResponse* dest)
+{
+ /* TODO: Translate user add response message */
+ (void)magic;
+ (void)src;
+ (void)dest;
+ return 0;
+}
+
+int wh_MessageAuth_TranslateUserDeleteRequest(uint16_t magic,
+ const whMessageAuth_UserDeleteRequest* src,
+ whMessageAuth_UserDeleteRequest* dest)
+{
+ /* TODO: Translate user delete request message */
+ (void)magic;
+ (void)src;
+ (void)dest;
+ return 0;
+}
+
+int wh_MessageAuth_TranslateUserGetRequest(uint16_t magic,
+ const whMessageAuth_UserGetRequest* src,
+ whMessageAuth_UserGetRequest* dest)
+{
+ /* TODO: Translate user get request message */
+ (void)magic;
+ (void)src;
+ (void)dest;
+ return 0;
+}
+
+int wh_MessageAuth_TranslateUserGetResponse(uint16_t magic,
+ const whMessageAuth_UserGetResponse* src,
+ whMessageAuth_UserGetResponse* dest)
+{
+ /* TODO: Translate user get response message */
+ (void)magic;
+ (void)src;
+ (void)dest;
+ return 0;
+}
+
+int wh_MessageAuth_TranslateUserSetPermissionsRequest(uint16_t magic,
+ const whMessageAuth_UserSetPermissionsRequest* src,
+ whMessageAuth_UserSetPermissionsRequest* dest)
+{
+ /* TODO: Translate user set permissions request message */
+ (void)magic;
+ (void)src;
+ (void)dest;
+ return 0;
+}
+
+int wh_MessageAuth_TranslateUserSetCredentialsRequest(uint16_t magic,
+ const whMessageAuth_UserSetCredentialsRequest* src,
+ whMessageAuth_UserSetCredentialsRequest* dest)
+{
+ /* TODO: Translate user set credentials request message */
+ (void)magic;
+ (void)src;
+ (void)dest;
+ return 0;
+}
+
+int wh_MessageAuth_TranslateCheckAuthorizationRequest(uint16_t magic,
+ const whMessageAuth_CheckAuthorizationRequest* src,
+ whMessageAuth_CheckAuthorizationRequest* dest)
+{
+ /* TODO: Translate check authorization request message */
+ (void)magic;
+ (void)src;
+ (void)dest;
+ return 0;
+}
+
+int wh_MessageAuth_TranslateCheckAuthorizationResponse(uint16_t magic,
+ const whMessageAuth_CheckAuthorizationResponse* src,
+ whMessageAuth_CheckAuthorizationResponse* dest)
+{
+ /* TODO: Translate check authorization response message */
+ (void)magic;
+ (void)src;
+ (void)dest;
+ return 0;
+}
diff --git a/src/wh_server.c b/src/wh_server.c
index 3ca4fa3e..c36720e1 100644
--- a/src/wh_server.c
+++ b/src/wh_server.c
@@ -42,10 +42,12 @@
#include "wolfhsm/wh_message.h"
#include "wolfhsm/wh_message_comm.h"
#include "wolfhsm/wh_message_nvm.h"
+#include "wolfhsm/wh_message_auth.h"
/* Server API's */
#include "wolfhsm/wh_server.h"
#include "wolfhsm/wh_server_nvm.h"
+#include "wolfhsm/wh_server_auth.h"
#include "wolfhsm/wh_server_crypto.h"
#include "wolfhsm/wh_server_keystore.h"
#include "wolfhsm/wh_server_counter.h"
@@ -75,6 +77,7 @@ int wh_Server_Init(whServerContext* server, whServerConfig* config)
memset(server, 0, sizeof(*server));
server->nvm = config->nvm;
+ server->auth = config->auth;
#ifndef WOLFHSM_CFG_NO_CRYPTO
server->crypto = config->crypto;
@@ -318,6 +321,17 @@ int wh_Server_HandleRequestMessage(whServerContext* server)
if (rc == 0) {
group = WH_MESSAGE_GROUP(kind);
action = WH_MESSAGE_ACTION(kind);
+
+ /* If the authentication context is set then check if the action is
+ * allowed */
+ if (server->auth != NULL) {
+ rc = wh_Auth_CheckAuthorization(server->auth,
+ server->comm->client_id, group, action);
+ if (rc != WH_ERROR_OK) {
+ return rc;
+ }
+ }
+
switch (group) {
case WH_MESSAGE_GROUP_COMM:
@@ -330,6 +344,11 @@ int wh_Server_HandleRequestMessage(whServerContext* server)
size, data, &size, data);
break;
+ case WH_MESSAGE_GROUP_AUTH:
+ rc = wh_Server_HandleAuthRequest(server, magic, action, seq,
+ size, data, &size, data);
+ break;
+
case WH_MESSAGE_GROUP_COUNTER:
rc = wh_Server_HandleCounter(server, magic, action, size, data,
&size, data);
diff --git a/src/wh_server_auth.c b/src/wh_server_auth.c
new file mode 100644
index 00000000..4e97df80
--- /dev/null
+++ b/src/wh_server_auth.c
@@ -0,0 +1,71 @@
+/*
+ * Copyright (C) 2025 wolfSSL Inc.
+ *
+ * This file is part of wolfHSM.
+ *
+ * wolfHSM is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfHSM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with wolfHSM. If not, see .
+ */
+/*
+ * src/wh_server_auth.c
+ *
+ * Server-side Auth Manager request handler
+ */
+
+/* Pick up compile-time configuration */
+#include "wolfhsm/wh_settings.h"
+
+#ifdef WOLFHSM_CFG_ENABLE_SERVER
+
+/* System libraries */
+#include
+#include /* For NULL */
+
+/* Common WolfHSM types and defines shared with the server */
+#include "wolfhsm/wh_error.h"
+#include "wolfhsm/wh_comm.h"
+
+#include "wolfhsm/wh_auth.h"
+
+#include "wolfhsm/wh_message.h"
+#include "wolfhsm/wh_message_auth.h"
+
+#include "wolfhsm/wh_server.h"
+#include "wolfhsm/wh_server_auth.h"
+
+int wh_Server_HandleAuthRequest(whServerContext* server,
+ uint16_t magic, uint16_t action, uint16_t seq,
+ uint16_t req_size, const void* req_packet,
+ uint16_t *out_resp_size, void* resp_packet)
+{
+ /* TODO: Handle auth manager requests
+ * This would be used for an admin on the client side to add users, set
+ * permissions and manage sessions.
+ *
+ * A non admin could use this for Auth Manager API's that require less
+ * permissions or for messages to authenticate and open a session. */
+
+ (void)server;
+ (void)magic;
+ (void)action;
+ (void)seq;
+ (void)req_size;
+ (void)req_packet;
+ (void)out_resp_size;
+ (void)resp_packet;
+
+ *out_resp_size = 0;
+ return WH_ERROR_NOTIMPL;
+}
+
+#endif /* WOLFHSM_CFG_ENABLE_SERVER */
diff --git a/wolfhsm/wh_auth.h b/wolfhsm/wh_auth.h
new file mode 100644
index 00000000..46c9eb42
--- /dev/null
+++ b/wolfhsm/wh_auth.h
@@ -0,0 +1,263 @@
+/*
+ * Copyright (C) 2025 wolfSSL Inc.
+ *
+ * This file is part of wolfHSM.
+ *
+ * wolfHSM is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfHSM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with wolfHSM. If not, see .
+ */
+/*
+ * wolfhsm/wh_auth.h
+ *
+ * Abstract library to provide authentication and authorization management.
+ * The Auth Manager is transport-agnostic and protocol-agnostic, providing
+ * core security services for all wolfHSM operations.
+ *
+ * The Auth Manager:
+ * - Verifies PINs/credentials
+ * - Manages sessions
+ * - Makes authorization decisions
+ * - Tracks session state and logs authentication attempts
+ */
+
+#ifndef WOLFHSM_WH_AUTH_H_
+#define WOLFHSM_WH_AUTH_H_
+
+/* Pick up compile-time configuration */
+#include "wolfhsm/wh_settings.h"
+
+#include
+#include
+
+#include "wolfhsm/wh_common.h"
+
+/** Auth Manager Types */
+
+/* User identifier type */
+typedef uint16_t whUserId;
+#define WH_USER_ID_INVALID ((whUserId)0)
+#define WH_USER_ID_ADMIN ((whUserId)1)
+
+/* Session identifier type */
+typedef uint32_t whSessionId;
+#define WH_SESSION_ID_INVALID ((whSessionId)0)
+
+/* Authentication method enumeration */
+typedef enum {
+ WH_AUTH_METHOD_NONE = 0,
+ WH_AUTH_METHOD_PIN,
+ WH_AUTH_METHOD_CERTIFICATE,
+ WH_AUTH_METHOD_CHALLENGE_RESPONSE,
+ WH_AUTH_METHOD_PSK,
+} whAuthMethod;
+
+/* Permission flags */
+typedef uint32_t whAuthPermissions;
+#define WH_AUTH_PERM_NONE ((whAuthPermissions)0x00000000)
+#define WH_AUTH_PERM_READ ((whAuthPermissions)0x00000001)
+#define WH_AUTH_PERM_WRITE ((whAuthPermissions)0x00000002)
+#define WH_AUTH_PERM_EXEC ((whAuthPermissions)0x00000004)
+#define WH_AUTH_PERM_ADMIN ((whAuthPermissions)0x00000008)
+#define WH_AUTH_PERM_USER_MGMT ((whAuthPermissions)0x00000010)
+#define WH_AUTH_PERM_KEY_MGMT ((whAuthPermissions)0x00000020)
+#define WH_AUTH_PERM_NVM_MGMT ((whAuthPermissions)0x00000040)
+#define WH_AUTH_PERM_ALL ((whAuthPermissions)0xFFFFFFFF)
+
+/* Action types for authorization checks */
+typedef enum {
+ WH_ACTION_NONE = 0,
+ WH_ACTION_OBJECT_READ,
+ WH_ACTION_OBJECT_WRITE,
+ WH_ACTION_OBJECT_DELETE,
+ WH_ACTION_KEY_USE,
+ WH_ACTION_KEY_EXPORT,
+ WH_ACTION_USER_ADD,
+ WH_ACTION_USER_DELETE,
+ WH_ACTION_USER_MODIFY,
+ WH_ACTION_PERMISSION_SET,
+} whAuthAction;
+
+/* Session state */
+typedef struct {
+ whSessionId session_id;
+ whUserId user_id;
+ uint8_t client_id;
+ whAuthPermissions permissions;
+ uint32_t created_time;
+ uint32_t last_access_time;
+ uint32_t timeout;
+ bool is_valid;
+} whAuthSession;
+
+/* User information */
+typedef struct {
+ whUserId user_id;
+ char username[32]; /* Max username length */
+ whAuthPermissions permissions;
+ bool is_active;
+ uint32_t failed_attempts;
+ uint32_t lockout_until; /* Timestamp when lockout expires */
+} whAuthUser;
+
+/** Auth Manager Callback Structure */
+
+typedef struct {
+ /* Initialize the auth backend */
+ int (*Init)(void* context, const void *config);
+
+ /* Cleanup the auth backend */
+ int (*Cleanup)(void* context);
+
+ /* Authenticate a user using the specified method */
+ int (*Authenticate)(void* context, uint8_t client_id,
+ whAuthMethod method, const void* auth_data,
+ uint16_t auth_data_len,
+ whUserId* out_user_id, whSessionId* out_session_id,
+ whAuthPermissions* out_permissions);
+
+ /* Create a new session for an authenticated user */
+ int (*SessionCreate)(void* context, whUserId user_id, uint8_t client_id,
+ whAuthPermissions permissions,
+ whSessionId* out_session_id);
+
+ /* Destroy a session */
+ int (*SessionDestroy)(void* context, whSessionId session_id);
+
+ /* Get session information */
+ int (*SessionGet)(void* context, whSessionId session_id,
+ whAuthSession* out_session);
+
+ /* Check if an action is authorized for a session */
+ int (*CheckAuthorization)(void* context, whSessionId session_id,
+ whAuthAction action, uint32_t object_id);
+
+ /* Add a new user */
+ int (*UserAdd)(void* context, const char* username, whUserId* out_user_id,
+ whAuthPermissions permissions);
+
+ /* Delete a user */
+ int (*UserDelete)(void* context, whUserId user_id);
+
+ /* Set user permissions */
+ int (*UserSetPermissions)(void* context, whUserId user_id,
+ whAuthPermissions permissions);
+
+ /* Get user information */
+ int (*UserGet)(void* context, whUserId user_id, whAuthUser* out_user);
+
+ /* Set user credentials (PIN, etc.) */
+ int (*UserSetCredentials)(void* context, whUserId user_id,
+ whAuthMethod method, const void* credentials,
+ uint16_t credentials_len);
+
+ /* Get session status/count */
+ int (*SessionStatus)(void* context, uint8_t client_id,
+ uint32_t* out_active_sessions,
+ whSessionId* out_session_list, uint16_t max_sessions);
+} whAuthCb;
+
+/** Auth Manager Context and Config */
+
+/* Simple helper context structure associated with an Auth Manager instance */
+typedef struct whAuthContext_t {
+ whAuthCb *cb;
+ void* context;
+} whAuthContext;
+
+/* Simple helper configuration structure associated with an Auth Manager instance */
+typedef struct whAuthConfig_t {
+ whAuthCb *cb;
+ void* context;
+ void* config;
+} whAuthConfig;
+
+/** Common Auth Callback Function Type
+ *
+ * This callback can be used throughout wolfHSM when consulting the auth manager.
+ * It provides a simple interface for authorization checks that can be called from
+ * any component (NVM, Key Management, PKCS#11 handler, etc.)
+ */
+typedef int (*whAuthCommonCb)(void* auth_context, whSessionId session_id,
+ whAuthAction action, uint32_t object_id);
+
+/** Public Auth Manager API Functions */
+
+/* Initialize the auth manager */
+int wh_Auth_Init(whAuthContext* context, const whAuthConfig *config);
+
+/* Cleanup the auth manager */
+int wh_Auth_Cleanup(whAuthContext* context);
+
+/* Authenticate a user */
+int wh_Auth_Authenticate(whAuthContext* context, uint8_t client_id,
+ whAuthMethod method, const void* auth_data,
+ uint16_t auth_data_len,
+ whUserId* out_user_id, whSessionId* out_session_id,
+ whAuthPermissions* out_permissions);
+
+/* Create a new session */
+int wh_Auth_SessionCreate(whAuthContext* context, whUserId user_id,
+ uint8_t client_id, whAuthPermissions permissions,
+ whSessionId* out_session_id);
+
+/* Destroy a session */
+int wh_Auth_SessionDestroy(whAuthContext* context, whSessionId session_id);
+
+/* Get session information */
+int wh_Auth_SessionGet(whAuthContext* context, whSessionId session_id,
+ whAuthSession* out_session);
+
+/* Check authorization for an action */
+int wh_Auth_CheckAuthorization(whAuthContext* context, uint8_t client_id,
+ uint16_t group, uint16_t action);
+
+/* Add a new user */
+int wh_Auth_UserAdd(whAuthContext* context, const char* username,
+ whUserId* out_user_id, whAuthPermissions permissions);
+
+/* Delete a user */
+int wh_Auth_UserDelete(whAuthContext* context, whUserId user_id);
+
+/* Set user permissions */
+int wh_Auth_UserSetPermissions(whAuthContext* context, whUserId user_id,
+ whAuthPermissions permissions);
+
+/* Get user information */
+int wh_Auth_UserGet(whAuthContext* context, whUserId user_id,
+ whAuthUser* out_user);
+
+/* Set user credentials */
+int wh_Auth_UserSetCredentials(whAuthContext* context, whUserId user_id,
+ whAuthMethod method, const void* credentials,
+ uint16_t credentials_len);
+
+/* Get session status */
+int wh_Auth_SessionStatus(whAuthContext* context, uint8_t client_id,
+ uint32_t* out_active_sessions,
+ whSessionId* out_session_list, uint16_t max_sessions);
+
+/** Common Auth Callback Helper
+ *
+ * This function provides a simple way to check authorization from any component
+ * in wolfHSM. It can be used as a callback function pointer or called directly.
+ *
+ * @param[in] auth_context Pointer to the auth context (cast from void*)
+ * @param[in] session_id The session ID to check authorization for
+ * @param[in] action The action being requested
+ * @param[in] object_id The object ID (if applicable, 0 for general actions)
+ * @return int Returns 0 if authorized, WH_ERROR_ACCESS if denied, or other error codes
+ */
+int wh_Auth_CommonCallback(void* auth_context, whSessionId session_id,
+ whAuthAction action, uint32_t object_id);
+
+#endif /* !WOLFHSM_WH_AUTH_H_ */
diff --git a/wolfhsm/wh_client.h b/wolfhsm/wh_client.h
index 4a5a7b92..24ce7798 100644
--- a/wolfhsm/wh_client.h
+++ b/wolfhsm/wh_client.h
@@ -53,6 +53,7 @@
#include "wolfhsm/wh_dma.h"
#endif /* WOLFHSM_CFG_DMA */
#include "wolfhsm/wh_keyid.h"
+#include "wolfhsm/wh_auth.h"
/* Forward declaration of the client structure so its elements can reference
@@ -1866,6 +1867,67 @@ int wh_Client_CustomCbCheckRegisteredResponse(whClientContext* c,
int wh_Client_CustomCbCheckRegistered(whClientContext* c, uint16_t id,
int* responseError);
+/* Auth Manager functions */
+
+/**
+ * @brief Sends an authentication request to the server.
+ *
+ * This function prepares and sends an authentication request message to the server.
+ * The request includes the authentication method and authentication data (e.g., PIN).
+ * This function does not block; it returns immediately after sending the request.
+ *
+ * @param[in] c Pointer to the client context.
+ * @param[in] method The authentication method to use (e.g., WH_AUTH_METHOD_PIN).
+ * @param[in] auth_data Pointer to the authentication data.
+ * @param[in] auth_data_len Length of the authentication data.
+ * @return int Returns 0 on success, or a negative error code on failure.
+ */
+int wh_Client_AuthAuthenticateRequest(whClientContext* c,
+ whAuthMethod method, const void* auth_data, uint16_t auth_data_len);
+
+/**
+ * @brief Receives an authentication response from the server.
+ *
+ * This function attempts to process an authentication response message from the server.
+ * It validates the response and extracts the return code, user ID, session ID, and
+ * permissions. This function does not block; it returns WH_ERROR_NOTREADY if a
+ * response has not been received.
+ *
+ * @param[in] c Pointer to the client context.
+ * @param[out] out_rc Pointer to store the return code from the server.
+ * @param[out] out_user_id Pointer to store the authenticated user ID.
+ * @param[out] out_session_id Pointer to store the session ID.
+ * @param[out] out_permissions Pointer to store the user permissions.
+ * @return int Returns 0 on success, WH_ERROR_NOTREADY if no response is
+ * available, or a negative error code on failure.
+ */
+int wh_Client_AuthAuthenticateResponse(whClientContext* c, int32_t *out_rc,
+ whUserId* out_user_id, whSessionId* out_session_id,
+ whAuthPermissions* out_permissions);
+
+/**
+ * @brief Authenticates a user with the server (blocking convenience wrapper).
+ *
+ * This function handles the complete process of sending an authentication request
+ * to the server and receiving the response. It sends the request and repeatedly
+ * attempts to receive a valid response. This function blocks until the entire
+ * operation is complete or an error occurs.
+ *
+ * @param[in] c Pointer to the client context.
+ * @param[in] method The authentication method to use (e.g., WH_AUTH_METHOD_PIN).
+ * @param[in] auth_data Pointer to the authentication data.
+ * @param[in] auth_data_len Length of the authentication data.
+ * @param[out] out_rc Pointer to store the return code from the server.
+ * @param[out] out_user_id Pointer to store the authenticated user ID.
+ * @param[out] out_session_id Pointer to store the session ID.
+ * @param[out] out_permissions Pointer to store the user permissions.
+ * @return int Returns 0 on success, or a negative error code on failure.
+ */
+int wh_Client_AuthAuthenticate(whClientContext* c, whAuthMethod method,
+ const void* auth_data, uint16_t auth_data_len,
+ int32_t* out_rc, whUserId* out_user_id, whSessionId* out_session_id,
+ whAuthPermissions* out_permissions);
+
/* Certificate functions */
/**
diff --git a/wolfhsm/wh_message.h b/wolfhsm/wh_message.h
index 1b34c2ef..220978a7 100644
--- a/wolfhsm/wh_message.h
+++ b/wolfhsm/wh_message.h
@@ -47,6 +47,7 @@ enum WH_MESSAGE_ENUM {
WH_MESSAGE_GROUP_CUSTOM = 0x0A00, /* User-specified features */
WH_MESSAGE_GROUP_CRYPTO_DMA = 0x0B00, /* DMA crypto operations */
WH_MESSAGE_GROUP_CERT = 0x0C00, /* Certificate operations */
+ WH_MESSAGE_GROUP_AUTH = 0x0D00, /* Authentication and authorization */
WH_MESSAGE_ACTION_MASK = 0x00FF, /* 255 subtypes per group*/
WH_MESSAGE_ACTION_NONE = 0x0000, /* No action. Invalid. */
diff --git a/wolfhsm/wh_message_auth.h b/wolfhsm/wh_message_auth.h
new file mode 100644
index 00000000..77130948
--- /dev/null
+++ b/wolfhsm/wh_message_auth.h
@@ -0,0 +1,277 @@
+/*
+ * Copyright (C) 2025 wolfSSL Inc.
+ *
+ * This file is part of wolfHSM.
+ *
+ * wolfHSM is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfHSM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with wolfHSM. If not, see .
+ */
+/*
+ * wolfhsm/wh_message_auth.h
+ *
+ * Message definitions for Auth Manager operations
+ */
+
+#ifndef WOLFHSM_WH_MESSAGE_AUTH_H_
+#define WOLFHSM_WH_MESSAGE_AUTH_H_
+
+/* Pick up compile-time configuration */
+#include "wolfhsm/wh_settings.h"
+
+#include
+
+#include "wolfhsm/wh_common.h"
+#include "wolfhsm/wh_comm.h"
+#include "wolfhsm/wh_message.h"
+#include "wolfhsm/wh_auth.h"
+
+enum WH_MESSAGE_AUTH_ACTION_ENUM {
+ WH_MESSAGE_AUTH_ACTION_AUTHENTICATE = 0x01,
+ WH_MESSAGE_AUTH_ACTION_SESSION_CREATE = 0x02,
+ WH_MESSAGE_AUTH_ACTION_SESSION_DESTROY = 0x03,
+ WH_MESSAGE_AUTH_ACTION_SESSION_GET = 0x04,
+ WH_MESSAGE_AUTH_ACTION_SESSION_STATUS = 0x05,
+ WH_MESSAGE_AUTH_ACTION_USER_ADD = 0x06,
+ WH_MESSAGE_AUTH_ACTION_USER_DELETE = 0x07,
+ WH_MESSAGE_AUTH_ACTION_USER_GET = 0x08,
+ WH_MESSAGE_AUTH_ACTION_USER_SET_PERMISSIONS = 0x09,
+ WH_MESSAGE_AUTH_ACTION_USER_SET_CREDENTIALS = 0x0A,
+ WH_MESSAGE_AUTH_ACTION_CHECK_AUTHORIZATION = 0x0B,
+};
+
+enum WH_MESSAGE_AUTH_MAX_ENUM {
+ WH_MESSAGE_AUTH_MAX_USERNAME_LEN = 32,
+ WH_MESSAGE_AUTH_MAX_CREDENTIALS_LEN = WOLFHSM_CFG_COMM_DATA_LEN - 64,
+ WH_MESSAGE_AUTH_MAX_SESSIONS = 16,
+};
+
+/* Simple reusable response message */
+typedef struct {
+ int32_t rc;
+} whMessageAuth_SimpleResponse;
+
+int wh_MessageAuth_TranslateSimpleResponse(uint16_t magic,
+ const whMessageAuth_SimpleResponse* src,
+ whMessageAuth_SimpleResponse* dest);
+
+/** Authenticate Request */
+typedef struct {
+ uint8_t method; /* whAuthMethod */
+ uint16_t auth_data_len;
+ uint8_t WH_PAD[1];
+ /* Auth data up to WH_MESSAGE_AUTH_MAX_CREDENTIALS_LEN follows */
+} whMessageAuth_AuthenticateRequest;
+
+int wh_MessageAuth_TranslateAuthenticateRequest(uint16_t magic,
+ const whMessageAuth_AuthenticateRequest* src,
+ whMessageAuth_AuthenticateRequest* dest);
+
+/** Authenticate Response */
+typedef struct {
+ int32_t rc;
+ uint16_t user_id;
+ uint32_t session_id;
+ uint32_t permissions;
+} whMessageAuth_AuthenticateResponse;
+
+int wh_MessageAuth_TranslateAuthenticateResponse(uint16_t magic,
+ const whMessageAuth_AuthenticateResponse* src,
+ whMessageAuth_AuthenticateResponse* dest);
+
+/** Session Create Request */
+typedef struct {
+ uint16_t user_id;
+ uint32_t permissions;
+} whMessageAuth_SessionCreateRequest;
+
+int wh_MessageAuth_TranslateSessionCreateRequest(uint16_t magic,
+ const whMessageAuth_SessionCreateRequest* src,
+ whMessageAuth_SessionCreateRequest* dest);
+
+/** Session Create Response */
+typedef struct {
+ int32_t rc;
+ uint32_t session_id;
+} whMessageAuth_SessionCreateResponse;
+
+int wh_MessageAuth_TranslateSessionCreateResponse(uint16_t magic,
+ const whMessageAuth_SessionCreateResponse* src,
+ whMessageAuth_SessionCreateResponse* dest);
+
+/** Session Destroy Request */
+typedef struct {
+ uint32_t session_id;
+} whMessageAuth_SessionDestroyRequest;
+
+int wh_MessageAuth_TranslateSessionDestroyRequest(uint16_t magic,
+ const whMessageAuth_SessionDestroyRequest* src,
+ whMessageAuth_SessionDestroyRequest* dest);
+
+/** Session Destroy Response */
+/* Use SimpleResponse */
+
+/** Session Get Request */
+typedef struct {
+ uint32_t session_id;
+} whMessageAuth_SessionGetRequest;
+
+int wh_MessageAuth_TranslateSessionGetRequest(uint16_t magic,
+ const whMessageAuth_SessionGetRequest* src,
+ whMessageAuth_SessionGetRequest* dest);
+
+/** Session Get Response */
+typedef struct {
+ int32_t rc;
+ uint32_t session_id;
+ uint16_t user_id;
+ uint16_t client_id;
+ uint32_t permissions;
+ uint32_t created_time;
+ uint32_t last_access_time;
+ uint32_t timeout;
+ uint8_t is_valid;
+ uint8_t WH_PAD[3];
+} whMessageAuth_SessionGetResponse;
+
+int wh_MessageAuth_TranslateSessionGetResponse(uint16_t magic,
+ const whMessageAuth_SessionGetResponse* src,
+ whMessageAuth_SessionGetResponse* dest);
+
+/** Session Status Request */
+/* Empty message */
+
+/** Session Status Response */
+typedef struct {
+ int32_t rc;
+ uint32_t active_sessions;
+ uint32_t session_list[WH_MESSAGE_AUTH_MAX_SESSIONS];
+} whMessageAuth_SessionStatusResponse;
+
+int wh_MessageAuth_TranslateSessionStatusResponse(uint16_t magic,
+ const whMessageAuth_SessionStatusResponse* src,
+ whMessageAuth_SessionStatusResponse* dest);
+
+/** User Add Request */
+typedef struct {
+ char username[WH_MESSAGE_AUTH_MAX_USERNAME_LEN];
+ uint32_t permissions;
+} whMessageAuth_UserAddRequest;
+
+int wh_MessageAuth_TranslateUserAddRequest(uint16_t magic,
+ const whMessageAuth_UserAddRequest* src,
+ whMessageAuth_UserAddRequest* dest);
+
+/** User Add Response */
+typedef struct {
+ int32_t rc;
+ uint16_t user_id;
+ uint8_t WH_PAD[2];
+} whMessageAuth_UserAddResponse;
+
+int wh_MessageAuth_TranslateUserAddResponse(uint16_t magic,
+ const whMessageAuth_UserAddResponse* src,
+ whMessageAuth_UserAddResponse* dest);
+
+/** User Delete Request */
+typedef struct {
+ uint16_t user_id;
+ uint8_t WH_PAD[2];
+} whMessageAuth_UserDeleteRequest;
+
+int wh_MessageAuth_TranslateUserDeleteRequest(uint16_t magic,
+ const whMessageAuth_UserDeleteRequest* src,
+ whMessageAuth_UserDeleteRequest* dest);
+
+/** User Delete Response */
+/* Use SimpleResponse */
+
+/** User Get Request */
+typedef struct {
+ uint16_t user_id;
+ uint8_t WH_PAD[2];
+} whMessageAuth_UserGetRequest;
+
+int wh_MessageAuth_TranslateUserGetRequest(uint16_t magic,
+ const whMessageAuth_UserGetRequest* src,
+ whMessageAuth_UserGetRequest* dest);
+
+/** User Get Response */
+typedef struct {
+ int32_t rc;
+ uint16_t user_id;
+ uint8_t WH_PAD[2];
+ char username[WH_MESSAGE_AUTH_MAX_USERNAME_LEN];
+ uint32_t permissions;
+ uint8_t is_active;
+ uint8_t WH_PAD2[3];
+ uint32_t failed_attempts;
+ uint32_t lockout_until;
+} whMessageAuth_UserGetResponse;
+
+int wh_MessageAuth_TranslateUserGetResponse(uint16_t magic,
+ const whMessageAuth_UserGetResponse* src,
+ whMessageAuth_UserGetResponse* dest);
+
+/** User Set Permissions Request */
+typedef struct {
+ uint16_t user_id;
+ uint8_t WH_PAD[2];
+ uint32_t permissions;
+} whMessageAuth_UserSetPermissionsRequest;
+
+int wh_MessageAuth_TranslateUserSetPermissionsRequest(uint16_t magic,
+ const whMessageAuth_UserSetPermissionsRequest* src,
+ whMessageAuth_UserSetPermissionsRequest* dest);
+
+/** User Set Permissions Response */
+/* Use SimpleResponse */
+
+/** User Set Credentials Request */
+typedef struct {
+ uint16_t user_id;
+ uint8_t method; /* whAuthMethod */
+ uint16_t credentials_len;
+ /* Credentials data up to WH_MESSAGE_AUTH_MAX_CREDENTIALS_LEN follows */
+} whMessageAuth_UserSetCredentialsRequest;
+
+int wh_MessageAuth_TranslateUserSetCredentialsRequest(uint16_t magic,
+ const whMessageAuth_UserSetCredentialsRequest* src,
+ whMessageAuth_UserSetCredentialsRequest* dest);
+
+/** User Set Credentials Response */
+/* Use SimpleResponse */
+
+/** Check Authorization Request */
+typedef struct {
+ uint32_t session_id;
+ uint8_t action; /* whAuthAction */
+ uint8_t WH_PAD[3];
+ uint32_t object_id;
+} whMessageAuth_CheckAuthorizationRequest;
+
+int wh_MessageAuth_TranslateCheckAuthorizationRequest(uint16_t magic,
+ const whMessageAuth_CheckAuthorizationRequest* src,
+ whMessageAuth_CheckAuthorizationRequest* dest);
+
+/** Check Authorization Response */
+typedef struct {
+ int32_t rc;
+ uint8_t authorized;
+ uint8_t WH_PAD[3];
+} whMessageAuth_CheckAuthorizationResponse;
+
+int wh_MessageAuth_TranslateCheckAuthorizationResponse(uint16_t magic,
+ const whMessageAuth_CheckAuthorizationResponse* src,
+ whMessageAuth_CheckAuthorizationResponse* dest);
+
+#endif /* !WOLFHSM_WH_MESSAGE_AUTH_H_ */
diff --git a/wolfhsm/wh_server.h b/wolfhsm/wh_server.h
index 2c3dc02a..574a0324 100644
--- a/wolfhsm/wh_server.h
+++ b/wolfhsm/wh_server.h
@@ -40,6 +40,7 @@ typedef struct whServerContext_t whServerContext;
#include "wolfhsm/wh_comm.h"
#include "wolfhsm/wh_keycache.h"
#include "wolfhsm/wh_nvm.h"
+#include "wolfhsm/wh_auth.h"
#include "wolfhsm/wh_message_customcb.h"
#ifdef WOLFHSM_CFG_DMA
#include "wolfhsm/wh_dma.h"
@@ -151,6 +152,7 @@ typedef struct {
typedef struct whServerConfig_t {
whCommServerConfig* comm_config;
whNvmContext* nvm;
+ whAuthContext* auth;
#ifndef WOLFHSM_CFG_NO_CRYPTO
whServerCryptoContext* crypto;
@@ -170,6 +172,7 @@ typedef struct whServerConfig_t {
/* Context structure to maintain the state of an HSM server */
struct whServerContext_t {
whNvmContext* nvm;
+ whAuthContext* auth;
whCommServer comm[1];
#ifndef WOLFHSM_CFG_NO_CRYPTO
whServerCryptoContext* crypto;
diff --git a/wolfhsm/wh_server_auth.h b/wolfhsm/wh_server_auth.h
new file mode 100644
index 00000000..2ff344f9
--- /dev/null
+++ b/wolfhsm/wh_server_auth.h
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2025 wolfSSL Inc.
+ *
+ * This file is part of wolfHSM.
+ *
+ * wolfHSM is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfHSM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with wolfHSM. If not, see .
+ */
+/*
+ * wolfhsm/wh_server_auth.h
+ *
+ * Server-side Auth Manager API
+ */
+
+#ifndef WOLFHSM_WH_SERVER_AUTH_H_
+#define WOLFHSM_WH_SERVER_AUTH_H_
+
+/* Pick up compile-time configuration */
+#include "wolfhsm/wh_settings.h"
+
+#include
+
+#include "wolfhsm/wh_server.h"
+
+#ifdef WOLFHSM_CFG_ENABLE_SERVER
+
+/**
+ * @brief Handles incoming authentication and authorization requests.
+ *
+ * This function processes incoming auth request messages from the communication
+ * server and dispatches them to the appropriate auth manager functions.
+ *
+ * @param[in] server Pointer to the server context.
+ * @param[in] magic The magic number for the request.
+ * @param[in] action The action ID of the request.
+ * @param[in] seq The sequence number of the request.
+ * @param[in] req_size The size of the request packet.
+ * @param[in] req_packet Pointer to the request packet data.
+ * @param[out] out_resp_size Pointer to store the size of the response packet.
+ * @param[out] resp_packet Pointer to store the response packet data.
+ * @return int Returns 0 on success, or a negative error code on failure.
+ */
+int wh_Server_HandleAuthRequest(whServerContext* server,
+ uint16_t magic, uint16_t action, uint16_t seq,
+ uint16_t req_size, const void* req_packet,
+ uint16_t *out_resp_size, void* resp_packet);
+
+#endif /* WOLFHSM_CFG_ENABLE_SERVER */
+
+#endif /* !WOLFHSM_WH_SERVER_AUTH_H_ */